Reminder Security Issues

Description

Hi Deniz,
it's me again. With bugfix of we could complete our tests of Issue Reminders. During Test we had some questions and found some Issues with Reminder Security:
Questions:

  • Group field for Reminders is only used for further notifications of further users and for further JQL filtering options? It has nothing ToDo with Reminder Security (who can view and edit Reminders), or?

  • Private Reminders are visible to the Creator of the Reminder only and not for any other users or Groups entered, or?
    Issues:

  • Issues with a Private Reminder are given back as filter result when using the issuesWithReminderForUser("XXX") or issuesWithReminderForGroup("XXX") functions. This shouldn't be allowed in any function provided by the reminder Add-Om as with implementation of sensitive Reminder Information could be shown as Column in the Filter result.
    When using other functions like issuesWithReminders or issuesWithReminderDueWithin private Reminders are filtered out.

  • When group is entered in the "Groups Allowed to Edit Other's Reminders" section, users of the group are also allowed to see and delete private reminders (edit is not possible). Private reminders need to be visible for the Creator only.

Environment

None

Activity

Show:
Deniz Oğuz
October 20, 2017, 9:39 AM
  • Group field is not for review of reminder. Just like email, user field reminder email is send to users in that group.

  • Yes, private reminders are not visible to users in the selected group

  • Details of private reminder shall not be visible to others in custom field column or in the result of JQL. If it is this should be a bug. I will test that.

  • Users of the group specified in "Groups Allowed to Edit Other's Reminders" should be able to view/delete/edit other user's reminders even if they are private. Some user's should be able to view other's reminders. Assume that an employee created a reoccurring reminder and left the company. If this reoccurring reminder is not needed anymore, someone should be able to delete it. In that regard, private reminders are visible to users in special groups (specified in setting) and creator of the reminder. You can leave these groups empty if you want only the creator of the reminder to see the reminder. If a reminder is not private, everyone can see it but they can't delete or edit it.

Deniz Oğuz
October 23, 2017, 10:23 AM

I have tested again and private reminders are not visible to other users in "Reminder Date" and "Reminder Summary" columns. They are only visible to reminder owner or users in the group specified in "Edit Other's Reminder" setting, if any. So there seems to be no bug there.
Is there anything I can help on this issue? I have mistaken something please let me know.

Tobias Bruckmann
October 24, 2017, 11:23 AM

Hi Deniz,
I have made some deeper tests an can confirm that issues with private reminders of other users are shown in the results when using "issuekey in issuesWithReminderForUser("")" (maybe not the expected behaviour), but neither the reminder fields nor the reminder itself could be seen.
Regarding the 'Edit Other's Reminder' Option I have not seen it from the system management perspective as system administrators still can see an edit other reminders (even private ones). But if this is the case we will use it more restrictive.
Kind regards
Tobias

Deniz Oğuz
October 27, 2017, 6:40 AM

Hi
Actually this is expected behavior. If searching user has access to issue itself, he can see the issue when he used JQL "Issuekey in issuesWithReminderForUser()". But they can't see the reminder details. Actually if you really want issue not to be seen we can change it too. This will be more restrictive and I think this may not be a problem for other customers too. Just let me know if you really want this to be more restrictive.

Assignee

Deniz Oğuz

Reporter

Tobias Bruckmann

Labels

None

Source

None

Jira Version

None

Database Type/Version

None

Browser Type/Version

None

Affects versions

Priority

Critical
Configure